Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude fields from LinearRegression command/use subsearch to generate fields for LinearRergession ?

achervov
Engager
‎07-25-2018 03:03 AM

Consider fit LinearRegression
| fit LinearRegression "name2predict" from "f1" "f2" into "test_model"

Question 0
What are flexebilities defining the FEATURE LIST -- i.e. from "f1" "f2" ?

SubQuestion 1
Is it possible to write something like
NOT "f1" - exclude "f1"
or something like f1* OR f2*
etc ?

SubQuestion 2 Can we use somehow subsearch to generate fields list ?

If no simple way to do it what are some ways round ?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎07-25-2018 08:41 AM

If you wanted to exclude f1 then you should not include it as your explanatory field.. Why would you want to choose f1 OR f2? Why not just include both and let the machine determine which feature to put emphasis on? You can run | summary <model_name> to identify how much impact each feature has on the target function.

Why do you mean using a sub-search to generate a fields list? Are you referring to making the data available so you can fit your model? If so, then you can use whatever you want just as long as the data is available before the fit command. One thing to consider though is speed and scale. You need to make sure your search is fast so it can run on a consistent basis so the machine can keep learning and adapting

0 Karma
Reply

achervov
Engager
‎07-25-2018 11:43 PM

To make explicit description of fields names is very inconvenient in my case, because that names can be changed. I want to exclude very specific name like "_time" , but I do not want to exclude by previous "field - _time" command, because then it will dispappear from the whole pipiline, so it would be impossible to plot by next command "table _time, error". By using subsearch I mean something like [ | mcatalog | return ??? ] put such expression instead of explicit fields list.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...